Information Technology

CALEA

The Status of CALEA at Baldwin Wallace University

CALEA (the Communications Assistance for Law Enforcement Act) was originally passed in 1994 in response to a request for assistance from law enforcement. It required providers of commercial voice services to structure their networks to allow law enforcement agencies the ability to executing wiretap orders. For a copy of the act, go to:http://www.techlawjournal.com/agencies/calea/47usc1001.htm. Institutions which are NOT exempt from CALEA were required to be under full CALEA compliance by May 14, 2007.
Higher education institutions were initially exempt from CALEA compliance because they were considered "private networks." However, on August 5, 2005, the FCC (Federal Communications Commission), in response to a request by law enforcement, extended CALEA compliance to include facilities-based Internet service providers. This included most college campuses due to their capacity of providing public access to the Internet. Subsequently, a private network is now defined as a network that does not have the ability to interconnect with the public Internet, or, in the case of VoIP, to interconnect with the public switched telephone network (PSTN). For a copy of the FCC report, go to:http://www.educause.edu/LibraryDetailPage/666?ID=EPO0528.

The Information Technology staff at Baldwin Wallace has arrived at the conclusion that the University IS exempt from CALEA due to its inclusion in the definition of a private network. Although BW is claiming the exempt designation, the University understands that it could still be required and must be willing to assist any Law Enforcement Agency (LEA) in obtaining information for a CALEA-related requested. It is also the intention of the University to move forward with this issue as mandatory compliance for all colleges (following the FCC evaluation of the number of colleges/universities who claimed exemption) is anticipated.

The following list covers items related to this issue that have been discussed and how each will be handled:

Campus-Wide Authentication:

Scenario: A law enforcement agency presents the University with a request for information on the activity of a John Doe.

One of the first pieces of information we will be expected to provide is where John Doe has been (from a network perspective) during the time period in question. This could be accomplished by having campus-wide authentication and turning on the associated logging of that information in order to determine the address or addresses that John Doe has been using. This would require the proper software and hardware support from the law enforcement agency.
Everyone using our wired network (all students in residence halls or anyone using one of our computer labs or desktop computers) is required to authenticate in order to access the campus network. Our wireless network allows both authenticated access to the campus network and non-authenticated access to just the Internet. Non-authenticated access is limited to three hours/day before re-authentication is required.

Temporary Accounts:

While there are no direct references or opinions in the CALEA regulations that state that casual users (such as visitors, conference attendees, or others involved in campus life or the academic community) need to authenticate, moving toward that goal through the use of temporary accounts could be useful. It does not appear to be a requirement at this time, however from the standpoint of assisting a LEA, the more information we could provide about individual users who have accessed our network, the better.
The Information Technology Department at BW has been using temporary accounts for visitors of the University library to allow access to the campus network. The library requires proper identification from any guest requesting to access the network prior to issuing a temporary account.

IP Address/MAC Address Tracking:

On the BW computer network, most IP (Internet protocol) addresses are dynamic. If requested, we are able to match a particular MAC (media access control) address to a particular IP address in order to assist a LEA. For example, if John Doe is connecting his laptop at various locations within the University, then his IP address will vary. However, by logging the IP address and the associated MAC address, there is a much greater probability of finding the IP sessions John Doe has initiated. This is not fool proof as MAC addresses can be intentionally manipulated by someone with the knowledge to do so.

The IT Department has also started to dynamically assign public IP addresses to the students living in the residence halls. This will facilitate easier identification of a particular student/user by simply knowing the IP address.

Flow Tracking:

We are able to log the destinations that an IP address goes out to (off campus). However, retention of these log records is limited due lack of disk space. As the CALEA guidelines are better defined and the required amount (days, weeks or months) of logging information is determined, we will have a better idea of how much disk space will be needed.
Packet Duplication:

Another key element to any CALEA-related request may be the ability to duplicate the packets from the IP address being observed. We anticipate that (OSCnet) will be able to provide this service to a LEA if requested.
Time Stamping:

Any LEA requesting information will want accurate date and time information. The BW network uses NTP (Network Time Protocol) to ensure that any log files or real time captures reflect the correct time.

Physical Port Documentation:

When a LEA presents a request for information on a person or IP address, they may also ask for the location of the device that person is using. By having the ability to associate a user to an IP address, a MAC address, and to a physical port, providing that information is possible.
For any CALEA-related inquiries at Baldwin Wallace University, the initial contact person will be the CIO, Greg Flanik. If the CIO is unavailable, the Senior Vice President, Dick Fletcher should be contacted. Once a subpoena has been validated, the appropriate IT staff personnel will be assigned to assist the LEA. University personnel will make certain that all requests are handled efficiently and with the utmost discretion and confidentiality, involving the minimum number of people possible.